Security constraints when creating an object

I have some issues trying to disallow a module role to create objects. I want to restrict a role from creating entities of a certain type.   Assume the following: Entity Employee with an enumeration EmployeeType as attribute. Users with role A should only be allowed to see and edit employees with EmployeeType contractors. So I added an access rule for role A, with a XPath constraint on "EmployeeType = 'contractors'". This works correctly, role A users can only see the employees with that role. However when they create a new Employee with a different EmployeeType and save this, they do not receive an error and the employee is saved. I expected that an error would have been shown.  
3 answers

No, access rules are for all the reading rights. Allowing to create objects is a different setting. And in your case you should be allowed to create the object but only if it is of a specific type. You should model this in a custom microflow that does the check. You could do this in the event handlers after create.





Hi Stefan,

Ronald correctly points out that this is not possible without  custom logic in a microflow. I am not familiar with the complete requirements for you, but would it work to create the Employee in a microflow and preset the EmployeeType to contractor. Then you could remove the dropdown to set the employeeType  and user will not be able to change it.



Thanks Ronald and Andrej for your answers.

I eventually solved it by refactoring the EmployeeType attribute to an entity, with a Category enum on it to use for the Xpath security constraints.

While editing the Employee entity, users now only see the EmployeeTypes in the dropdown which they are allowed to use.

This even works better for our situation, since adminstrators can now create EmployeeTypes in the application.